Announcement

**David** · Sep-19-2009, 02:07 AM

When creating a web page, any greater than or less than signs in the content of a HTML document need to be encoded using character entities. This needs to be done regardless of if the page is created with .NET, PHP, or is just static HTML. Most HTML editors do this for you automatically.

Commonly this is done by replacing greater than with >

We shouldn't be stripping out spaces however. What version of Zoom are you using and what script (probalby the .NET option I guess, but doesn't hurt to ask).

**Ray** · Sep-21-2009, 01:07 AM

Originally posted by ashmud View Post

If I let .NET use the default method (HtmlAttributeEncode), it only encodes '"' (double quote), '&', and '<'. Zoom displays an error about invalid html near ZOOMTITLE if there is a '>' in the content. (Note: Opera 10 displays this as if it thinks it's invalid html when viewing the source of the web page, too. Firefox 3.5 does not.)

If I use Microsoft.Security.Application.AntiXss .HtmlAttributeEncode (version 3.1), it encodes '>', but it also encodes spaces as "& #32;" (remove the space). On the search results, the encoded spaces are stripped out completely from the page titles.

For now, I have to use a custom function to encode the '>' characters, but not spaces. (If only one of these scenarios is changed in the Zoom Search Engine, I would rather it be the handling of the encoded spaces.)

Try using HttpUtility.HtmlEncode instead. This will encode the ">" character. HtmlEncode is the default encoding method in .NET not HtmlAttributeEncode.

HtmlAttributeEncode does the most minimal work and is more commonly used as a quick way of preventing XSS when echoing user input.

**ashmud** · Sep-21-2009, 01:29 PM

Originally posted by wrensoft View Post

We shouldn't be stripping out spaces however. What version of Zoom are you using and what script (probalby the .NET option I guess, but doesn't hurt to ask).

Version 6.0 build 1017, .NET script. Again, non-encoded spaces are fine, it's only if they're encoded as "& #32;" (remove the space) that they get stripped out.

Originally posted by Ray View Post

Try using HttpUtility.HtmlEncode instead. This will encode the ">" character. HtmlEncode is the default encoding method in .NET not HtmlAttributeEncode.

HttpUtility.HtmlEncode worked. Thanks! (Not sure why I didn't try that.)

HtmlAttributeEncode is what .NET uses for control attributes (at least in 3.5), though. For example, if you have code like this, it will use HtmlAttributeEncode internally ('>' won't be encoded):

Code:

    private Control GetHtmlMeta(string name, string content)
    {
        HtmlMeta control = new HtmlMeta();
        control.Name = name;
        control.Content = content;
        return control;
    }

**Ray** · Sep-22-2009, 04:58 AM

Originally posted by ashmud View Post

HttpUtility.HtmlEncode worked. Thanks! (Not sure why I didn't try that.)

HtmlAttributeEncode is what .NET uses for control attributes (at least in 3.5), though.

Hmm... I see, the behaviour of HtmlAttributeEncode has changed in different versions of .NET so it's a little hard to keep track. Either way, glad HtmlEncode is working for you.

We might have to take a look into making Zoom more tolerant of unencoded ">" characters in attribute text.

Announcement

ZOOMTITLE issues

ZOOMTITLE issues

Comment

Comment

Comment

Comment